General Data Protection Regulation: one year later. Penalties and fines approach undertaken by Data Protection Authorities
The GDPR has contributed to change the global perception of personal data. The new European Regulation is still forcing undertakings and institutions to be compliant. In this context, Data Protection Authorities (“DPA”) are performing an important guidance role in terms of sanctions and penalties imposed to data controllers and processors.
DPAs approach has been reasonable and pondered. In fact, according to the GDPR, sanctions must be effective, proportionate and dissuasive (art.83, 1). The sanction system also includes corrective and monitoring powers in the light of DPAs task of promoting public awareness and conduction investigations over the application of the Regulation.
For instance, DPAs are able to:
- Issue warnings to controller and processor in the context of dangerous processing activities;
- Order the data controller and processor to comply with the data subject’s request;
- Order the data controller to communicate the data breach to the data subject;
- Impose a temporary limitation or ban on data processing of a certain controller or processor;
- Impose an administrative fine;
- Suspend the transfer of personal data in a third country or international organisation.
Important to notice, the proportionate approach of DPAs is helpful to avoid the paradigm according to which any personal data infringement leads to a pecuniary sanction. In this context, European DPAs shall cooperate promoting a harmonised approach to administrative fines. In such context, article 29 Working Party announced pecuniary fines should not be intended as last resort sanctions. Administrative-pecuniary sanctions shall be imposed by appropriate manners ensuring their efficacy. In conclusion, both excessive penalties as well as mild sanctions might be detrimental for the data protection framework.
In determining the sanction to impose, the DPA has to take in consideration how many data subjects are involved, the legal basis for processing, the extent of the damage and the likely risks for data subjects’ rights and freedoms.
Moreover, administrative fines depend on the circumstances of each individual case. The DPA shall give due regard to
- The intentional or negligent character of the infringement;
- Any action taken by the controller or processor to mitigate the risk;
- The degree of responsibility of the controller or processor;
- The category of personal data affected;
- The degree of cooperation with the supervisory authority with the intent of remedy the infringement.
Under these circumstances, we are going to analyse European DPAs decision in order to highlight decision criteria and most likely infringements occurred in certain type of business and contexts. In fact, also politics and religious dimensions may bring to GDPR infringements as happened in Italy with Rousseau platform used by Five Stars Movement.
In conclusion, the analysis and comment of sanction imposed by DPAs might be helpful to figure out how to tailor a robust Data Protection dimension for your own business avoiding standard policies or, even worse, privacy documents generator.
Author: Salvatore Fasciana